Skip to content

s6 container - run as user #425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

s6 container - run as user #425

wants to merge 4 commits into from

Conversation

paspo
Copy link
Contributor

@paspo paspo commented Jun 18, 2024

ref. #424

running hbbs and hbbr as a simple user is indeed a good idea.

We can do this in 2 way:
1 - run s6 as root and run the services as a normal user
2 - run the whole container as an unprivileged user

The advantage of the first solution is that we can define 2 ENV variables (PGID and PUID) and define user and group ID to use to run the binaries, the downside is that the s6 part of the container is still running as root.

/data # ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   17 root      0:00 s6-supervise s6-linux-init-shutdownd
   18 root      0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   26 root      0:00 s6-supervise s6rc-oneshot-runner
   27 root      0:00 s6-supervise s6rc-fdholder
   28 root      0:00 s6-supervise hbbr
   29 root      0:00 s6-supervise hbbs
   35 root      0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   67 rustdesk  0:00 /usr/bin/hbbr
   72 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  118 root      0:00 sh
  124 root      0:00 ps aux

The advantage of the second solution is obvious: everything is run with user privileges.

~ $ ps aux
PID   USER     TIME  COMMAND
    1 rustdesk  0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   21 rustdesk  0:00 s6-supervise s6-linux-init-shutdownd
   23 rustdesk  0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   30 rustdesk  0:00 s6-supervise s6rc-oneshot-runner
   31 rustdesk  0:00 s6-supervise s6rc-fdholder
   32 rustdesk  0:00 s6-supervise hbbr
   33 rustdesk  0:00 s6-supervise hbbs
   39 rustdesk  0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   63 rustdesk  0:00 sh ./run hbbr
   69 rustdesk  0:00 sh ./run hbbs
   73 rustdesk  0:00 /usr/bin/hbbr
  105 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  121 rustdesk  0:00 sh
 1163 rustdesk  0:00 ps aux
~ $ whoami
rustdesk

@rustdesk, your opinion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@paspo @rustdesk